Cybersecurity Firm ESET Manages to Disrupt Major Monero-Mining Botnet

Published at: April 23, 2020

Slovakian cybersecurity firm ESET has reported some success in disrupting the workings of a previously undetected Monero (XMR)-mining botnet in Latin America.

In an announcement on April 23, ESET said the malware had infected over 35,000 computers since May 2019, with 90% of compromised devices located in Peru.

Researchers have had some success in tackling the threat

ESET researchers have dubbed the botnet VictoryGate, noting that its main activity has been illicit Monero mining — also known as cryptojacking. 

This is the industry term for stealth crypto-mining attacks that work by installing malware that uses a computer’s processing power to mine for cryptocurrencies without the owner’s consent or knowledge.

The firm’s announcement notes that the malware results in extremely high resource usage on infected computers, resulting in a sustained 90–99% CPU load that can lead to overheating and potentially damage the device.

The botnet’s propagation vector has been external USB drives, which appear to have files with names and icons that are identical to those contained originally.

“However, the original files have been copied to a hidden directory in the root of the drive and Windows executables have been provided as apparent namesakes,” ESET writes.

Having detected the botnet, ESET has had some success in disrupting its operations by taking down its command and control (C&C) server and setting up a “sinkhole.” This works to divert requests to an alternative domain name and has enabled ESET to monitor and control the infected hosts.

ESET says it is working with the non-profit Shadowserver Foundation to share sinkhole logs and jointly try to mitigate the threat posed by VictoryGate. The researchers emphasized:

“Despite our efforts, infected USB drives will continue to circulate and new infections will still occur. The main difference is that the bots will no longer receive commands from the C&C [...] However, those PCs that were infected prior to the disruption may continue to perform cryptomining on behalf of the botmaster.”

Users can meanwhile use the firm’s free online scanner if they believe their device has been infected by the botnet.

Cybercriminals and privacy coin Monero 

As recently reported, the attackers behind the so-dubbed “Sodinokibi” ransomware have recently switched from Bitcoin (BTC) to Monero to better protect their identities from law enforcement.

Earlier this month, major United Kingdom-based firm Travelex was forced to fork out almost $2.3 million in Bitcoin after being infected by Sodinokibi on new year’s eve 2020.

Tags
Related Posts
Monero Cryptojacking Malware Targets Higher Education
According to a study published by Guardicore Labs, a malware botnet known as FritzFrog has been deployed to ten millions of IP addresses. The malware has largely targeted governmental offices, educational institutions, medical centers, banks, and telecommunication companies, installing a Monero (XMR) mining app known as XMRig. Guardicore Labs explains that FritzFrog uses a brute-force attack on millions of addresses to gain access to servers. That’s where an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly. After it gets in it proceeds to run a separate process named “libexec” to execute XMRig. “It has successfully …
Technology / Aug. 20, 2020
Researchers Detect Crypto-Mining Worm to Steal AWS Credentials
Cybersecurity researchers have detected what they believe to be the first ever stealth crypto mining campaign to steal Amazon Web Services (AWS) credentials. The mining campaign was described as being relatively unsophisticated by Cado Security in their report on Aug. 17. In total, it seems so far to have only resulted in the attackers — who operate under the name TeamTNT — pocketing a paltry $300 in illicit profits. What struck the researchers’ attention was the crypto-mining worm’s specific functionality for stealing AWS credentials. Cado Security understands this as part of a wider trend, showing that hackers and attackers are …
Technology / Aug. 18, 2020
Researchers detect new malware targeting Kubernetes clusters to mine Monero
Cybersecurity researchers at Unit 42, the intelligence team at Palo Alto Networks, have published a profile of a new malware campaign that targets Kubernetes clusters and can be used for the purposes of cryptojacking. "Cryptojacking" is an industry term for stealth crypto-mining attacks that work by installing malware that uses a computer’s processing power to mine cryptocurrencies — frequently Monero (XMR) — without the user’s consent or knowledge. A Kubernetes cluster is a set of nodes that are used to run containerized applications across multiple machines and environments, whether virtual, physical or cloud-based. According to the Unit 42 team, the …
Technology / Feb. 4, 2021
Researchers Detect Ambitious Bitcoin Mining Malware Campaign Targeting 1,000s Daily
Cybersecurity researchers have identified a persistent and ambitious campaign that targets thousands of Docker servers daily with a Bitcoin (BTC) miner. In a report published on April 3, Aqua Security issued a threat alert over the attack, which has ostensibly “been going on for months, with thousands of attempts taking place nearly on a daily basis.” The researchers warn: “These are the highest numbers we’ve seen in some time, far exceeding what we have witnessed to date.” Such scope and ambition indicate that the illicit Bitcoin mining campaign is unlikely to be “an improvised endeavor,” as the actors behind it …
Technology / April 6, 2020
French Police Shut Down 850,000 Computer Botnet Used for Cryptojacking
French police have shut down a massive botnet that has been used for Monero (XMR) cryptojacking. Cryptojacking backed by “massive firepower” BBC News reported the development on Aug. 27. According to the police, the botnet was distributed by sending virus-laden emails with offers for erotic pictures or fast cash, and further propogated through infected USB drives. The virus, called Retadup, ultimately infected 850,000 computers in over 100 countries — thus creating a massive botnet. The chief of C3N — the French police’s cybercrime unit — Jean-Dominique Nollet spoke on France Inter radio about the power of a botnet this size, …
United States / Aug. 28, 2019